Hi all,

I am unsucesfully looking for a solution to simple problem for an extended period of time,
so I realized it is better to ask for some help at this point.

Basically I have 5 locations (homes) with PPPOE authentication DSL Internet connections provided by local ISPs without fixed IPv4 addresses (change each day),
all NAT-ed and with disparate subnets properly assigned like 192.168.x.0/24, that I would like to integrate into single, routed, mesh network.
Encrypted where traversing Internet links.
One MikroTik router could be purchased for each location (cheapest possible, giving all this + 1 LAN port + WiFi).

I tried to look for L2TP/PPTP/SSL and similar tunnel solutions using DD-WRT and OpenWRT, but this seems not to be good idea
as 5 locations would need lots of tunnels defined to eliminate routing traffic through any other side, thus being being single point of failure.
I want mesh, rather then hub/star or flake network topology.
Also adding new site later would require updating settings on all existing routers, which needs to be eliminated.
It would be good just to add one new location without need to modify all existing ones to accommodate for traffic routing to newly added.
Also DynDns or NoIP service should be able to update IPs when changed for a particular site on all other routers in mesh network.

So I realized that this would be better done with some solution similar to MPLS/VPLS and Mikrotik routers hopefully.
From there I tried reading docs, but at this point cannot say what would be recommended solution?
I guess I don't need BGP as routing on that level is handled by different telcos from which DSL links are taken.
Networks internally are small NATed subnets so no OSPF or similar would be needed within the site.

But how to create this another mesh network layered on top of Internet, by using the existing links and encrypting traffic above is still a question.

The use case for something like this would be to share files over CIFS & FTP, direct SIP calling between the networks, DNS, remote management through SSH, Telnet & RDP.
Thus some COS/TOS and QOS support would also be nice to have considering asymmetric nature of links - though not mandatory.

Any direction greatly appreciated.

Thanks,
Tihovsky

I realized shortening prior post would help, so here it goes...

WANT:
I want to buy 5 Mikrotik routers to connect 5 sites into some sort of secure/encrypted network between them.
Each site should be able to access every other site through direct encrypted route/tunnel running over Internet.
This would create mesh network between all the sites eliminating single point of failure.
Hopefully adding additional router wouldn't create exponential increase in time for configuration of all the existing routers each time.

CURRENT:
Each site already has single dynamic (daily changing) public IPv4 address, whereas authentication with ISP is done over PPPoE (standard DSL provisioning).
Existing routers do NAT for local subnets to access Internet through these connections on each site. Would like to keep this NAT in the future.
ISPs do all WAN routing today through default route (spoke network).
No BGP use option offered from ISP, as link is considered "consumer" type.

Thanks,
Tihovsky

What you're looking for is DM-VPN, a brilliantly simple protocol, but one which only exists in Cisco routers (since Cisco invented it). Unfortunately I don't think there's an open variant of DM-VPN so Mikrotik would have to come up with their own protocol or license it off Cisco, both far fetched ideas..

I shall correct myself. All the components are already in RouterOS, except NHRP. There is an OpenNHRP implementation so Mikrotik just needs to put OpenNHRP in RouterOS to get DM-VPN functionality

I shall correct myself. All the components are already in RouterOS, except NHRP. There is an OpenNHRP implementation so Mikrotik just needs to put OpenNHRP in RouterOS to get DM-VPN functionality

I have been asking Mikrotik for NHRP/NHTB and VTI for the past 4 years with no success. Mikrotik really need to give their IPSEC implementation some love, hopefully we will see this in 6.x.

With VTI users will be able to have "IPSEC interfaces" e.g. Virtual Interfaces that correlate to IPSEC tunnels.

With NHRP/NHTB users will be able to bind multiple IPSEC tunnels to a single VTI interface, simplifying mesh IPSEC configurations and allowing for easier deployment of dynamic routing protocols.



Both of these technologies are commonplace on other vendors equipment, for example Juniper ScreenOS/JunOS, Palo Alto Networks PAN-OS, Cisco IOS, Fortinet FortiOS.


With the recent breaking of MS-CHAP v2 it can no longer be considered a secure VPN option, hopefully Mikrotik will start to extend their very basic IPSEC implementation to include more advanced features such as NHRP/NHTB, VTI and xauth.

Thank you both for help, really appreciated.

Funny how couple of IT buzzwords open up tons of materials to go through.
For now I will try with dd-wrt/Openwrt using tinc or opencloud.
Guess speed of encryption will be enough for what I need.

Please update if you hear some update about this in RouterOS world.

And why do you not follow the MPLS solution?

script it up.

ipsec + pptp

hub router:
create a transport mode, dynamic ipsec configuration.
enable pptp server
block pptp on wan (ipsec clients will get through)
setup DHCP for the pptp clients
setup OSPF for the DHCP subnet
create a script to run once per minute to dump the caller ID of all pptp clients into a text file.
enable ftp server

clients:
create a transport mode ipsec connection to hub.
create a pptp tunnel to hub
enable pptp server like on hub
create a script that downloads the client list txt file from ftp, then loop through creating ipsec connections and pptp tunnels
setup OSPF on the subnets used.

pptp tunnels because they can be assigned addresses from a pool, making everything dynamic. use a different pool on each router.
there would be 2 pptp connections between each router, but that's not a big deal. OSPF will handle it perfectly.

transport mode IPsec instead of tunnel because we don't want ipsec policy getting in the way of routing. transport just encrypts router WAN to router WAN.